Existing Member

Join ARN

IPv6: Taking the right steps

Although he acknowledges businesses have yet to embrace IPv6, security guru, Scott Hogg, says that doesn’t mean IT executives can ignore the security problems that the next generation Internet protocol can present.

Distributors

Although he acknowledges businesses have
yet to embrace IPv6, security guru, Scott
Hogg, says that doesn’t mean IT executives
can ignore the security problems that the next
generation Internet protocol can present. After
all, he notes, operating systems such as Microsoft
Vista and Linux are already IPv6 capable and thus
any networks that use them might be handling IPv6
traffic without their operators’ knowledge.
Hogg, who is also the coauthor of the Ciscoapproved
IPv6 Security guidebook, talks to BRAD
REED about steps network operators can take to
ensure that they don’t inadvertently let the network
get compromised by stealth IPv6 packets.

You say a lot of organisations may already
have IPv6 running over their networks and
not realise it. Can you give me an example
of how this happens?

Scott Hogg (SH): Well it might happen if they have
IPv6-capable hosts, meaning that maybe their own
network doesn’t run IPv6 per se but that traffic
can be tunnelled over IPv4 systems. If you have
machines on your network that run Vista, then that
would run both protocols at the same time. And
even if your network isn’t using the IPv6 stack, there
are ways to awaken the IPv6 stack. For instance,
Windows XP systems can be configured to run IPv6,
so a hacker can turn it on by infecting your machine
with some worm that changes your settings.

Can you explain in greater detail what you
mean by IPv6 traffic being “tunnelled”
through IPv4 systems?

SH: Sure. Right now there aren’t nearly as many
IPv6 addresses as there are IPv4 addresses. And the
problem comes in when you need to get two IPv6
islands to talk to each other in an ocean of IPv4
networks. So the solution is that we encapsulate
the IPv6 traffic inside what looks on the outside

like IPv4 traffic so it can be sent over IPv4 networks.
The security implications of this come in if I have a
simple firewall that just sees an IPv4 box and doesn’t
parse it enough to see that there’s something else
in there. The firewalls don’t look closely enough at
encapsulated packets because the typical firewall
today has nothing capable of opening up the capsule.
Some vendors are starting to work together on this
problem but they aren’t there yet.

What are some of the unique challenges in
securing a dual-stack network that supports
both IPv4 and IPv6?

SH: You’re twice as vulnerable because if you had a
certain application that had security issues, then hackers
could attack it with either IPv4 or IPv6. So if a hacker
went after a system that was running two protocols
they could get to either one. For instance, they could
leverage one protocol for another by finding hosts that
run IPv4 and then using IPv6 as a covert channel.

How do the security challenges
of IPv6 networks differ from
those of IPv4 networks?

SH: One key difference I’ve already mentioned is in the
way IPv6 requires that we use migration techniques
that can create tunnels hackers can exploit. The other
area where IPv6 is different from IPv4 is that IPv6
packets use extension headers that were developed
to improve performance by simplifying the packet
header structure. Essentially IPv6 extension headers are
optional headers that let you specify certain ways you
want the packet to behave. You may want to route
the packet through a certain path on the network, for
example, or you might have a fragmentation header
that breaks up the packet and then reassembles it. In
IPv4 we had to have all those headers included in one
single header but they’re optional in IPv6. And because
they’re optional, security protocols need to parse a
variable set of headers.

Finally, if a company came to you and asked
you to help them make a checklist of things
they would need to do before changing over
to IPv6, what would you tell them?

SH: In a lot of ways it’s very similar to what they did
to secure their IPv4 networks. They’ll want to secure
the perimeter first. Then they’ll need to harden their
network devices and make sure their routers and
switches running IPv6 are hardened before turning
on specific areas of their network. In general, their
migration strategy should be going from the core on
out. Use that same practice as securing IPv4 networks
where you go from the core to the edges

Technology Snapshot

IPv6 was created by the Internet Engineering Task Force,
a standards body that receives funding from ISOC.
IPv6 was developed because the Internet is running
out of IPv4 addresses.
IPv4 uses 32-bit addresses and can support
approximately 4.3 billion individually addressed
devices on the Internet. IPv6, on the other hand,
uses 128-bit addresses and can support so many
devices that only a mathematical expression – 2 to
the 128th power – can quantify its size.
In a recent ISOC report, the group claimed IPv6
deployment remains spotty, because there are no
concrete business drivers for IPv6. However, survey
respondents said customer demand for IPv6 is
on the rise because they feel it is the next major
development in the evolution of the Internet.
Experts predict IPv4 addresses will be gone by 2012.

Slideshows

Selling beyond the CIO – How partners can influence the new breed of tech buyers

This ARN Roundtable, in association with Oracle, highlighted the emergence of a new breed of technology buyer, assessing how partners can engage outside of IT, and the skills required to sell across new business units.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.